GitLab Patches High-Severity CSRF and Web IDE Flaws in Emergency Release
GitLab released versions 18.11.1, 18.10.4, and 18.9.6 on April 22, 2026, fixing multiple high-severity vulnerabilities including a CSRF in the GraphQL API and a path-equivalence issue in the Web IDE.
GitLab has released emergency patch versions 18.11.1, 18.10.4, and 18.9.6 for both Community and Enterprise Editions, addressing a total of 11 vulnerabilities. The most critical fixes include CVE-2026-4922, a cross-site request forgery (CSRF) vulnerability in the GraphQL API with a CVSS score of 8.1, and CVE-2026-5816, a path-equivalence issue in the Web IDE with a CVSS score of 8.0. GitLab strongly recommends that all self-managed instances upgrade immediately, while GitLab.com and GitLab Dedicated customers are already protected.
CVE-2026-4922 allows an unauthenticated attacker to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection. This could enable unauthorized data modification or access. The vulnerability affects all GitLab versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1. It was reported by researcher ahacker1 via GitLab's HackerOne bug bounty program.
CVE-2026-5816 is an improper resolution of path equivalence in the Web IDE asset, allowing an unauthenticated attacker to execute arbitrary JavaScript in a user's browser session under certain conditions. This flaw impacts versions from 18.10 before 18.10.4 and 18.11 before 18.11.1, and was reported by researcher joaxcar.
Additional high-severity fixes include CVE-2026-5262, a cross-site scripting (XSS) vulnerability in the Storybook development environment (CVSS 8.0), which could allow token access. Medium-severity issues addressed include denial-of-service (DoS) vulnerabilities in the discussions endpoint (CVE-2025-0186), Jira import (CVE-2026-1660), notes endpoint (CVE-2025-6016), and GraphQL API (CVE-2025-3922). Other medium-severity fixes cover insufficient session expiration in virtual registry credentials, improper access control in the issue description renderer, and improper restriction of UI layers in the Mermaid sandbox. Low-severity issues include an access control flaw in the project fork relationship API.
GitLab has not reported any active exploitation of these vulnerabilities in the wild. However, given the high severity and the potential for unauthenticated attacks, administrators are urged to prioritize patching. The patches are available for all supported deployment types, including omnibus, source code, and helm chart installations.
This release follows GitLab's regular patch cycle, which occurs twice monthly. The company maintains a policy of publicly disclosing vulnerability details 30 days after the patch release. GitLab continues to emphasize the importance of keeping instances up to date to mitigate risks from both known and emerging threats.